The National Security Agency took an exceptionally rare step last week when it disputed a New York Times report that one of its hacking tools was used in a ransomware attack that has crippled Baltimore city services for more than three weeks.
The organization once nicknamed “No Such Agency” typically stays tight-lipped about stories it believes are incorrect or misleading. The rare exception underscores that the NSA is trying to avoid a hit to its reputation – which has taken numerous blows in recent years — that would surely come if its tools were linked to the Baltimore attack.
The NSA has been facing intense scrutiny over whether it can keep its hacking tools out of adversaries’ hands. EternalBlue, the powerful tool the Times reported was used in the Baltimore attack, was stolen from the NSA and leaked online by a group called Shadow Brokers in 2016. It has since appeared in numerous hacking campaigns — including WannaCry, North Korea’s 2017 global ransomware operation.
But the impact of those attacks was spread over numerous international and domestic targets, whereas the optics of a U.S. government tool forcing offline a major American city in a single, high-visibility attack are especially bad, Jason Healey, a former White House cybersecurity official during the George W. Bush administration, told me in an email.
“This truly brings the pain home,” said Healey, who is now a senior research scholar at Columbia University's School for International and Public Affairs.
What's more, it could earn the attention of lawmakers. The global companies hit by EternalBlue "are not represented in Congress. Baltimore is,” Healey said.
And the more the public learns about EternalBlue attacks the more the focus stays on the massive ShadowBrokers leak, which remains shrouded in mystery, Jake Williams, a former NSA hacker who founded the company Rendition InfoSec told me.
"The biggest issue that NSA wants to avoid talking about is that they still don't know who the Shadow Brokers are or how the exploits were leaked," Williams said. "I think they know that those questions will follow from any EternalBlue discussion."
The agency’s pushback started Thursday when NSA Senior Adviser Rob Joyce swiped at the Times story during a speech at a cybersecurity conference. He suggested the NSA shouldn’t be held responsible for any EternalBlue hacks in 2019 because organizations have had two years to update their systems to protect against it.
"Focusing on a single exploit, especially one that has a patch that was issued years ago, is really short-sighted,” Joyce said.
From the Wall Street Journal's Dustin Volz:
Joyce: "The characterization that there is an indefensible nation-state tool propagating ransomware is simply not true. That is not true."— Dustin Volz (@dnvolz) May 30, 2019
To be clear, @nicoleperlroth and @ScottShaneNYT's story does not describe anything as indefensible.
Then on Friday, Rep. Dutch Ruppersberger (D-Md.) said NSA officials told him that there was no evidence EternalBlue was used in the Baltimore attack. Ruppersberger’s district includes the NSA and part of Baltimore.
I have been told that there is no evidence at this time that EternalBlue played a role in the ransomware attack currently affecting Baltimore City. More of my thoughts on the issue here: https://t.co/BsQju9aPEq— Dutch Ruppersberger (@Call_Me_Dutch) May 31, 2019
Ruppersberger added, however, that he wasn’t letting the NSA off the hook for instances in which EternalBlue was used against U.S. targets.
“Our country needs cyber tools to counter our enemies, including terrorists, but we also have to protect these tools from leaks,” he said. “We can’t ignore the damage that past breaches have done to American companies and, possibly, American cities.”
Ruppersberger’s statement didn’t settle the matter for some cyber pros, however.
Some of them pointed out that saying that the NSA doesn’t have “any evidence” that EternalBlue was used leaves open the possibility that there is indeed a connection to be found -- but the NSA doesn’t have it.
Here’s former NSA attorney and current executive editor of the Lawfare blog Susan Hennessey:
Yes, though be careful. NSA seems to just have said that they don't have any evidence of it so it may be short of outright denial.— Susan Hennessey (@Susan_Hennessey) June 1, 2019
And security researcher Robert Graham:
Yea, this is silly. That the NSA has no evidence EternalBlue was used in Baltimore is meaningless. Why would they? I mean, you'd have to quote them as "We do have evidence of how Baltimore was infected and how it spread, and therefore we have standing to say it wasn't EB". https://t.co/x3OX3zKqeO— Robᵇᵉᵗᵒ Graham (@ErrataRob) June 1, 2019
It’s also possible EternalBlue was part of the attack but didn’t leave clear traces, Williams noted.
With all due respect, I'm sure that "senior leaders of the NSA" told the absolute truth that they have no evidence EternalBlue was used in the Baltimore ransomware case. But let's be real about this, because context matters:— Jake Williams (@MalwareJake) June 1, 2019
1. Why would they specifically have that evidence? 1/4 https://t.co/92Pa10g78z
It's laughable to think that EternalBlue wasn't used here. If it wasn't, you can be damn sure it was in the attacker's toolbox.— Jake Williams (@MalwareJake) June 1, 2019
But even if EternalBlue were used, that doesn't mean Baltimore doesn't share the blame for not patching and having poor cybersecurity hygiene. 3/4
The Times, meanwhile, stood by its story. In a follow-up story, reporters Scott Shane and Nicole Perlroth said sources directly involved in the investigation had told them that four separate contractors working on restoring Baltimore’s IT services had discovered EternalBlue. The sources said the hackers used the tool to move rapidly across the city’s networks.
“This week, the contractors discovered an additional software tool, called a web shell, on Baltimore’s networks. They believe the web shell may have been used in conjunction with EternalBlue and another hacking technique known as ‘pass-the-hash,’ which uses stolen credentials, to spread the ransomware,” the Times reported.
NSA is pushing back, via a congressman, against the story by @nicoleperlroth and me on a stolen NSA hacking tool used in the attack on Baltimore. But we're told all four contractors working on the investigation have found the tool, EternalBlue. Details: https://t.co/PzDJX2q34s— Scott Shane (@ScottShaneNYT) June 1, 2019
That description worried some cyber pros, however, who thought the contractors might be confused. Here’s former NSA hacker Robert M. Lee, founder of the cybersecurity company Dragos.
Reading the NYT’s latest piece and how the attack is described I’m more convinced than ever they’re getting some bad info from a contractor working the Baltimore case. I don’t think this ends the way the NYT is expecting.— Robert M. Lee (@RobertMLee) June 1, 2019
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Justice Department won’t charge WikiLeaks founder Julian Assange with a crime for publishing a trove of leaked CIA hacking tools dubbed Vault 7, Politico’s Natasha Bertrand reported.
“It’s a move that has surprised national security experts and some former officials, given prosecutors’ recent decision to aggressively go after the WikiLeaks founder on more controversial Espionage Act charges that some legal experts said would not hold up in court,” Bertrand reported.
The decision was partly sparked by concerns that a public trial on those charges would force the government to reveal even more secrets about CIA hacking operations, Bertrand reported. The CIA has never officially acknowledged the Vault 7 leak.
Assange — who spent seven years avoiding U.S. charges by holing up in the Ecuadoran Embassy in London — was initially charged with computer hacking for offering to help Chelsea Manning crack the password on a Defense Department network. The Espionage Act charges — which First Amendment activists say come dangerously close to criminalizing journalism — were added later.
“DOJ has charged one person in the Vault 7 theft,” Bertrand reported. “A former CIA employee, Joshua Schulte, was indicted for transmitting the Vault 7 documents to WikiLeaks. He has pleaded not guilty and his trial is set for November.”
PATCHED: As the clock ticks down to 2020, the Department of Homeland Security is still falling short on efforts to secure state and local election infrastructure, the department’s internal watchdog says.
The department hasn’t completed all the necessary plans to identify and mitigate digital election threats or established metrics to gauge whether its election security efforts are successful, the department’s inspector general said in a semiannual report to Congress released last week.
The report cited “senior leadership turnover and a lack of guidance and administrative staff” as the main hindrances, as well as long lag time to give new employees security clearances.
“Additional staff could enhance DHS’ ability to provide technical assistance and outreach to state and local election officials during elections,” the report states.
PWNED: Secretary of State Mike Pompeo warned German officials Friday that the United States may withhold intelligence from them if they allow the Chinese telecom Huawei to build any portion of their next-generation 5G wireless networks, Reuters's David Brunnstrom reported.
Trump administration leaders have made similar threats in the past, but rarely so directly.
“(There is) a risk we will have to change our behavior in light of the fact that we can’t permit data on private citizens or data on national security to go across networks that we don’t have confidence (in),” Pompeo told a news conference after meeting with German Foreign Minister Heiko Maas.
Pompeo also said that the United States' European allies “will take their own sovereign decisions, (but we) will speak to them openly about the risks . . . and in the case of Huawei the concern is it is not possible to mitigate those anywhere inside of a 5G network,” Reuters reported.
Cybersecurity news from the public sector:
-- Reuters reporter Joseph Menn’s book "Cult of the Dead Cow" — focused on one of the earliest hacking collectives, which counted a teenage Beto O’Rourke among its members — will be coming out this week. Check out this excerpt courtesy of Wired — focused on the early cybersecurity firm @Stake whose employees included many of today’s top cybersecurity researchers and executives.
More cybersecurity news from the private sector:
Cybersecurity news from abroad: